<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
In retrospect, I spoke in haste, and error.<br>
<br>
You do indeed need two connections, but they may not be immediately
apparent. Simply having two connections, e.g. Spoke A Network
<-> localnet, and Spoke B Network <-> localnet will not
work, as ipsec does not automagically route between existing
connections. This would constitute a VPN security violation. From
what I remember, ipsec connection entries are also security
policies, consisting basically of: "machine at Right IP agrees to
exchange traffic with machine at Left IP that consists of packets
sourced from Right Network to Left Network". <br>
<br>
Let me mention that I hate that "left" and "right" nomenclature is
used for both host (VPN concentrator) and subnet declarations, when
(again, if I'm remembering correctly), the left and right networks
need not be local to the left and right hosts.<br>
<br>
So, you need one connection entry from Spoke Network A at Spoke
Machine A to Spoke Network B at Localnet Machine, and another
connection entry from Spoke Network B at Spoke Machine B to Spoke
Network A at Localnet Machine, in order for the spokes to talk to
each other via your localnet machine. <br>
<br>
If you already have functional connections from each spoke to your
localnet (which I'm guessing is true, and the source of your
original question), leave those in place if you want access to both
spokes from hosts within localnet <br>
<br>
The above advice is dredging up memories from over a decade, so if
my memory is failing me, or if this is just plain outdated advice,
then I beg your forgiveness. Also, I made a lot of assumptions - if
I'm wayy off base, you have my apologies.<br>
<br>
Thanks,<br>
-Jon<br>
<br>
<div class="moz-cite-prefix">On 3/8/2016 1:29 AM, Jon Fox wrote:<br>
</div>
<blockquote cite="mid:56DE7F69.5000906@sacredregion.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<blockquote type="cite">I have two connection entries in the
ipsec.conf</blockquote>
<br>
I've done spoke-hub with ipsec in the distant past.<br>
<br>
IIRC, you need either one connection entry (spoke A-to-spoke B),
or three connection entries (spoke A-to-spoke B, spoke A to
localnet, and spoke B to localnet). What exactly do you have
configured for the left and right networks of your existing two(?)
connections?<br>
<br>
-Jon<br>
<br>
<div class="moz-cite-prefix">On 3/7/2016 10:55 PM, Leonard Wood
wrote:<br>
</div>
<blockquote cite="mid:000301d178f6$c75d8d60$5618a820$@ufl.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Daniel,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks for
responding. I have not received any replies, yet. After
researching this extensively, I suspect my issue may be a
result of using the netkey protocol (default) vs klips. I
don’t think netkey has the ability to route traffic
between two local subnets. I can run tcpdump on the local
openswan (hub) instance and see ICMP packets coming in
from the Spokes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">My thinking
is because the entire payload and header are encrypted,
and without some mechanism (i.e., klips) to decipher it,
the datagram doesn’t know where to go once it reaches
Openswan (Hub)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">But I could
be wrong.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Leonard<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Daniel Cave [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:dan.cave@me.com">mailto:dan.cave@me.com</a>]
<br>
<b>Sent:</b> Monday, March 07, 2016 12:47 PM<br>
<b>To:</b> Leonard Wood<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] Hub-Spoke
Configuration<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><br>
Hello Leonard <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">Did you get any replies to this? <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">I suspect you may be experiencing
issues with firewall/security group/rules issues <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">Have you tried establishing hub to
spoke end connectivity on each side and end to end testing
by connecting using netcat? <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 2 Mar 2016, at 20:00, Leonard Wood <<a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:leonardw@ufl.edu"><a class="moz-txt-link-abbreviated" href="mailto:leonardw@ufl.edu">leonardw@ufl.edu</a></a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Does anyone have any documentation on
setting up a ‘hub and spoke’ configuration using
Openswan?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I have a scenario where I am
connecting both Azure and AWS to a single Openswan
instance using each prospective provider’s VPN gateway.
The tunnels come up and everything is fine with one
exception. Resources deployed in Azure cannot
communicate with resources deployed in Aws, and vice
versa. Both can communicate with the Openswan instance,
however. The route tables are correctly setup in AWS
and Azure so I am convinced its my configuration.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I have two connection entries in the
ipsec.conf<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">(Spoke1) Azure = 172.16.0.0/23<o:p></o:p></p>
<p class="MsoNormal">(Spoke2) AWS = 10.10.10.0/23<o:p></o:p></p>
<p class="MsoNormal">Hub Network = Openswan =
192.168.1.0/24<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am also using netkey for the
protocol.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any help with getting nodes in spoke
1 to communicate with nodes in spoke 2 would be greatly
appreciated!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">_______________________________________________<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with
Openswan:<br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></pre>
</blockquote>
<br>
</body>
</html>